273345896
/
nvm
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[actions] restrict permissions for `GITHUB_TOKEN`

Step Security 2021-09-10 06:09:45 +00:00 committed by Jordan Harband
parent 2dad0455ec
commit 59532c74c6
No known key found for this signature in database
GPG Key ID: 9F6A681E35EF8B56
8 changed files with 32 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.github/workflows/latest-npm.yml vendored
View File

@ -4,6 +4,8 @@ on: [pull_request, push]
jobs: jobs:
nodes: nodes:
permissions:
contents: read
name: 'nvm install-latest-npm' name: 'nvm install-latest-npm'
runs-on: ubuntu-latest runs-on: ubuntu-latest
@ -44,6 +46,8 @@ jobs:
- run: npm --version - run: npm --version
node: node:
permissions:
contents: none
name: 'nvm install-latest-npm' name: 'nvm install-latest-npm'
needs: [nodes] needs: [nodes]
runs-on: ubuntu-latest runs-on: ubuntu-latest

8
.github/workflows/lint.yml vendored
View File

@ -4,6 +4,8 @@ on: [pull_request, push]
jobs: jobs:
eclint: eclint:
permissions:
contents: read
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v2 - uses: actions/checkout@v2
@ -14,6 +16,8 @@ jobs:
- run: npm run eclint - run: npm run eclint
dockerfile_lint: dockerfile_lint:
permissions:
contents: read
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v2 - uses: actions/checkout@v2
@ -24,6 +28,8 @@ jobs:
- run: npm run dockerfile_lint - run: npm run dockerfile_lint
doctoc: doctoc:
permissions:
contents: read
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v2 - uses: actions/checkout@v2
@ -34,6 +40,8 @@ jobs:
- run: npm run doctoc:check - run: npm run doctoc:check
test_naming: test_naming:
permissions:
contents: read
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v2 - uses: actions/checkout@v2

2
.github/workflows/rebase.yml vendored
View File

@ -4,6 +4,8 @@ on: [pull_request_target]
jobs: jobs:
_: _:
permissions:
contents: write
name: "Automatic Rebase" name: "Automatic Rebase"
runs-on: ubuntu-latest runs-on: ubuntu-latest

2
.github/workflows/release.yml vendored
View File

@ -4,6 +4,8 @@ on: [pull_request, push]
jobs: jobs:
release: release:
permissions:
contents: read
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v2 - uses: actions/checkout@v2

2
.github/workflows/require-allow-edits.yml vendored
View File

@ -4,6 +4,8 @@ on: [pull_request_target]
jobs: jobs:
_: _:
permissions:
pull-requests: read
name: "Require “Allow Edits”" name: "Require “Allow Edits”"
runs-on: ubuntu-latest runs-on: ubuntu-latest

4
.github/workflows/shellcheck.yml vendored
View File

@ -4,6 +4,8 @@ on: [pull_request, push]
jobs: jobs:
shellcheck_matrix: shellcheck_matrix:
permissions:
contents: read
runs-on: ubuntu-latest runs-on: ubuntu-latest
strategy: strategy:
fail-fast: false fail-fast: false
@ -32,6 +34,8 @@ jobs:
run: shellcheck -s ${{ matrix.shell }} ${{ matrix.file }} run: shellcheck -s ${{ matrix.shell }} ${{ matrix.file }}
shellcheck: shellcheck:
permissions:
contents: none
needs: [shellcheck_matrix] needs: [shellcheck_matrix]
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:

2
.github/workflows/toc.yml vendored
View File

@ -4,6 +4,8 @@ on: [push]
jobs: jobs:
_: _:
permissions:
contents: write
name: "update readme TOC" name: "update readme TOC"
runs-on: ubuntu-latest runs-on: ubuntu-latest

8
.github/workflows/windows-npm.yml vendored 100755 → 100644
View File

@ -9,6 +9,8 @@ env:
jobs: jobs:
msys_fail_install: msys_fail_install:
# Default installation does not work due to npm_config_prefix set to C:\npm\prefix # Default installation does not work due to npm_config_prefix set to C:\npm\prefix
permissions:
contents: none
name: 'MSYS fail prefix nvm install' name: 'MSYS fail prefix nvm install'
runs-on: windows-latest runs-on: windows-latest
steps: steps:
@ -20,6 +22,8 @@ jobs:
! nvm install --lts ! nvm install --lts
msys_matrix: msys_matrix:
permissions:
contents: none
name: 'MSYS nvm install' name: 'MSYS nvm install'
runs-on: windows-latest runs-on: windows-latest
strategy: strategy:
@ -43,6 +47,8 @@ jobs:
nvm install ${{ matrix.npm-node-version }} nvm install ${{ matrix.npm-node-version }}
cygwin_matrix: cygwin_matrix:
permissions:
contents: none
name: 'Cygwin nvm install' name: 'Cygwin nvm install'
runs-on: windows-latest runs-on: windows-latest
steps: steps:
@ -111,6 +117,8 @@ jobs:
nvm install ${{ matrix.npm-node-version }} nvm install ${{ matrix.npm-node-version }}
nvm_windows: nvm_windows:
permissions:
contents: none
needs: [wsl_matrix, cygwin_matrix, msys_matrix, msys_fail_install] needs: [wsl_matrix, cygwin_matrix, msys_matrix, msys_fail_install]
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps: